[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Wheezy update of git?


What default shell was used?
The default shell have impacted this kind of things before.

// Ola

On 21 March 2017 at 13:37, Raphael Hertzog <hertzog@debian.org> wrote:
Hello Chris,

On Mon, 20 Mar 2017, Chris Lamb wrote:
> the Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of git:
> https://security-tracker.debian.org/tracker/source-package/git
> Would you like to take care of this yourself?

Did you check whether the package was affected?

I tried to checkout https://github.com/njhartwell/pw3nage while having
bash-completion loaded and with a PS1 containing $(__git_ps1 2>/dev/null)
or $(__git_ps1 " (%s)") and was unable to get any code execution.

I'm not sure when the vulnerability was introduced but it looks
like that is not affected at least when using bash.

Can someone else double check?

For zsh, I'm not sure either. I tried to run it and to set PS1 as
PS1='[%n@%m %c$(__git_ps1 " (%s)")]\$ '

But here the $(...) part is not even replaced.

Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /

Reply to: